diff options
| author | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2021-12-12 14:11:11 +0300 |
|---|---|---|
| committer | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2021-12-16 11:40:22 +0300 |
| commit | f4389e48ce0a70807362772d66c12ab5cd9e15f8 (patch) | |
| tree | 1334516a199dcdf4133758e3664348287e73e88b /tpl | |
| parent | 803f572e66c5e22213ddcc994c41b3e80e9c1f35 (diff) | |
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.
There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".
For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.
These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.
You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.
The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.
```toml
[security]
enableInlineShortcodes = false
[security.exec]
allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']
[security.funcs]
getenv = ['^HUGO_']
[security.http]
methods = ['(?i)GET|POST']
urls = ['.*']
```
Diffstat (limited to 'tpl')
| -rw-r--r-- | tpl/collections/collections_test.go | 3 | ||||
| -rw-r--r-- | tpl/data/data.go | 7 | ||||
| -rw-r--r-- | tpl/data/resources.go | 7 | ||||
| -rw-r--r-- | tpl/data/resources_test.go | 7 | ||||
| -rw-r--r-- | tpl/os/os.go | 4 | ||||
| -rw-r--r-- | tpl/transform/transform_test.go | 2 |
6 files changed, 26 insertions, 4 deletions
diff --git a/tpl/collections/collections_test.go b/tpl/collections/collections_test.go index 3faf46930..8cced6fe5 100644 --- a/tpl/collections/collections_test.go +++ b/tpl/collections/collections_test.go @@ -32,7 +32,6 @@ import ( "github.com/gohugoio/hugo/hugofs" "github.com/gohugoio/hugo/langs" "github.com/spf13/afero" - ) type tstNoStringer struct{} @@ -973,7 +972,7 @@ func ToTstXIs(slice interface{}) []TstXI { func newDeps(cfg config.Provider) *deps.Deps { l := langs.NewLanguage("en", cfg) l.Set("i18nDir", "i18n") - cs, err := helpers.NewContentSpec(l, loggers.NewErrorLogger(), afero.NewMemMapFs()) + cs, err := helpers.NewContentSpec(l, loggers.NewErrorLogger(), afero.NewMemMapFs(), nil) if err != nil { panic(err) } diff --git a/tpl/data/data.go b/tpl/data/data.go index e993ed140..cfd847474 100644 --- a/tpl/data/data.go +++ b/tpl/data/data.go @@ -24,6 +24,7 @@ import ( "strings" "github.com/gohugoio/hugo/common/maps" + "github.com/gohugoio/hugo/config/security" "github.com/gohugoio/hugo/common/types" @@ -88,6 +89,9 @@ func (ns *Namespace) GetCSV(sep string, args ...interface{}) (d [][]string, err err = ns.getResource(cache, unmarshal, req) if err != nil { + if security.IsAccessDenied(err) { + return nil, err + } ns.deps.Log.(loggers.IgnorableLogger).Errorsf(constants.ErrRemoteGetCSV, "Failed to get CSV resource %q: %s", url, err) return nil, nil } @@ -121,6 +125,9 @@ func (ns *Namespace) GetJSON(args ...interface{}) (interface{}, error) { err = ns.getResource(cache, unmarshal, req) if err != nil { + if security.IsAccessDenied(err) { + return nil, err + } ns.deps.Log.(loggers.IgnorableLogger).Errorsf(constants.ErrRemoteGetJSON, "Failed to get JSON resource %q: %s", url, err) return nil, nil } diff --git a/tpl/data/resources.go b/tpl/data/resources.go index b38b2784a..b4b310bcc 100644 --- a/tpl/data/resources.go +++ b/tpl/data/resources.go @@ -38,6 +38,13 @@ var ( // getRemote loads the content of a remote file. This method is thread safe. func (ns *Namespace) getRemote(cache *filecache.Cache, unmarshal func([]byte) (bool, error), req *http.Request) error { url := req.URL.String() + if err := ns.deps.ExecHelper.Sec().CheckAllowedHTTPURL(url); err != nil { + return err + } + if err := ns.deps.ExecHelper.Sec().CheckAllowedHTTPMethod("GET"); err != nil { + return err + } + var headers bytes.Buffer req.Header.Write(&headers) id := helpers.MD5String(url + headers.String()) diff --git a/tpl/data/resources_test.go b/tpl/data/resources_test.go index 8425bf87a..e825c2be1 100644 --- a/tpl/data/resources_test.go +++ b/tpl/data/resources_test.go @@ -22,12 +22,14 @@ import ( "testing" "time" + "github.com/gohugoio/hugo/config/security" "github.com/gohugoio/hugo/modules" "github.com/gohugoio/hugo/helpers" qt "github.com/frankban/quicktest" "github.com/gohugoio/hugo/cache/filecache" + "github.com/gohugoio/hugo/common/hexec" "github.com/gohugoio/hugo/common/loggers" "github.com/gohugoio/hugo/config" "github.com/gohugoio/hugo/deps" @@ -193,8 +195,10 @@ func newDeps(cfg config.Provider) *deps.Deps { } cfg.Set("allModules", modules.Modules{mod}) + ex := hexec.New(security.DefaultConfig) + logger := loggers.NewIgnorableLogger(loggers.NewErrorLogger(), "none") - cs, err := helpers.NewContentSpec(cfg, logger, afero.NewMemMapFs()) + cs, err := helpers.NewContentSpec(cfg, logger, afero.NewMemMapFs(), ex) if err != nil { panic(err) } @@ -215,6 +219,7 @@ func newDeps(cfg config.Provider) *deps.Deps { Cfg: cfg, Fs: fs, FileCaches: fileCaches, + ExecHelper: ex, ContentSpec: cs, Log: logger, LogDistinct: helpers.NewDistinctLogger(logger), diff --git a/tpl/os/os.go b/tpl/os/os.go index e729b810b..43c42f5e1 100644 --- a/tpl/os/os.go +++ b/tpl/os/os.go @@ -56,6 +56,10 @@ func (ns *Namespace) Getenv(key interface{}) (string, error) { return "", nil } + if err = ns.deps.ExecHelper.Sec().CheckAllowedGetEnv(skey); err != nil { + return "", err + } + return _os.Getenv(skey), nil } diff --git a/tpl/transform/transform_test.go b/tpl/transform/transform_test.go index 2b0c69d09..260de5f83 100644 --- a/tpl/transform/transform_test.go +++ b/tpl/transform/transform_test.go @@ -241,7 +241,7 @@ func newDeps(cfg config.Provider) *deps.Deps { l := langs.NewLanguage("en", cfg) - cs, err := helpers.NewContentSpec(l, loggers.NewErrorLogger(), afero.NewMemMapFs()) + cs, err := helpers.NewContentSpec(l, loggers.NewErrorLogger(), afero.NewMemMapFs(), nil) if err != nil { panic(err) } |